The surveillance app harvested data from thousands of Android phones using Google’s own servers, until a researcher exposed a critical flaw.
What happened
Google has taken down Catwatchful, an Android spyware operation that was using its Firebase cloud infrastructure to store data stolen from thousands of compromised devices. The company acted after TechCrunch alerted it to the operation in mid-June, but it took nearly a month to investigate and suspend the account. Google spokesperson Ed Fernandez confirmed the suspension, citing a violation of Google’s terms of service.
Catwatchful, disguised as a parental control app, was marketed as ‘undetectable’ and required physical access to a target’s device for installation. Once installed, it silently collected messages, photos, and location data, sending it to a dashboard accessible by the person who planted the app.
Going deeper
Security researcher Eric Daigle first discovered Catwatchful through a bug that left its backend Firebase database publicly accessible without authentication. The database exposed 62,000 customer emails and plaintext passwords, and records from 26,000 victim devices.
The leaked information also identified the app’s developer, Omar Soca Charcov of Uruguay. When contacted by TechCrunch, Charcov did not respond or indicate any plan to notify affected users. As a result, the breach database was shared with Have I Been Pwned, a public breach notification platform.
Though Catwatchful is now offline, it follows a recurring pattern: spyware developers collecting massive amounts of sensitive data without proper safeguards, only to have it exposed through poor security practices.
What was said
Google declined to explain why the suspension took a month, despite its policies banning spyware hosting. TechCrunch’s investigation showed that as of July 25, Catwatchful was no longer receiving or transmitting data.
The big picture
According to TechCrunch, “Catwatchful is by TechCrunch’s count the fifth spyware operation this year to have spilled users’ data,” and part of “more than two-dozen known spyware operations since 2017 that have exposed their banks of data.” These repeated exposures reflect a deeper problem: many spyware developers fail to implement basic security measures, leaving both their users and victims vulnerable. Despite being taken down, Catwatchful fits into a broader trend of reckless data handling within the surveillance software industry.
FAQs
What is Firebase, and why was it used by Catwatchful?
Firebase is a cloud-based development platform by Google that offers tools for hosting and storing app data. Catwatchful used Firebase to manage its backend operations, including storing stolen user data.
What should someone do if they think their phone is infected?
Before removing any spyware, create a safety plan, especially if you're in a situation involving surveillance or control by someone else. Then consult a trusted digital safety resource or reset your phone.
Why do spyware developers keep getting exposed by data breaches?
Many spyware operations suffer from poor coding practices and lack basic cybersecurity protections, making their infrastructure vulnerable to researchers or attackers.
Will Google alert victims or prevent future abuse on its platforms?
Google has not stated whether it will notify those affected. While it suspended Catwatchful, the incident raises broader concerns about how effectively platforms detect abuse of their services.
Farah Amod
